Can I ignore a data subject access request which may relate to an employment dispute?
Can I ignore a data subject access request if I think an ex-employee is fishing for information as part of an employment dispute? The short answer is no.
The employment dispute and data subject access request (DSAR) are entirely separate.
Under the UK General Data Protection Regulation (UK GDPR), an individual has the right to request whether an organisation is processing their personal data and if so, to access a copy of that personal data and certain other information.
You can refuse to deal with a DSAR if an exemption applies or if the DSAR is manifestly unfounded or manifestly excessive. The Information Commissioner Office’s (ICO) guidance on the right of access gives some examples of when a DSAR might be manifestly unfounded and includes where the “individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation” or “the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption.” So, the context in which a DSAR made is important but is not the deciding factor. Whether or not a DSAR is manifestly excessive depends on the circumstances of the request and whether it is obviously unreasonable. Again, context comes into play here but is only one of the considerations. Any decision to decline to deal with a DSAR on the basis that it is manifestly unfounded or manifestly excessive will need to be considered very carefully and recorded in case it is challenged later. If in doubt, you should seek legal advice to minimise the risk of the individual making a complaint to the ICO or taking legal action through the civil courts.
How did First Choice Selection Services contravene the UK GDPR?
A recent example of where an organisation got it wrong is the case of recruitment agency First Choice Selection Services Limited (First Choice). An individual was making a claim in the Employment Tribunal and made a DSAR to First Choice. A series of events followed:
- First Choice declined to deal with the DSAR on the basis that it would only release what the Employment Tribunal designated as the material to be disclosed in the employment claim
- The individual complained to the ICO. The ICO wrote to First Choice requiring First Choice to provide an appropriate response to the DSAR
- The ICO wrote to First Choice again on two further occasions following which it gave First Choice seven days to either provide an appropriate response to the individual or a timescale for the response
- First Choice did not comply so the ICO wrote a further letter confirming that First Choice had breached data protection law
- First Choice responded explaining that it was involved in ongoing Employment Tribunal proceedings and that it had been instructed not to release any information to the individual
- As First Choice had still not complied with the DSAR, the ICO wrote again asking for a full explanation and strongly recommending that the DSAR was dealt with as a matter of urgency
- First Choice replied and referred to the Employment Tribunal proceedings
- The ICO asked for evidence of the direction from the Employment Tribunal which First Choice failed to provide
- The individual however provided the ICO with a document that undermined First Choice’s assertion that document disclosure had been discussed during the Employment Tribunal proceedings
- The ICO once again wrote to First Choice requiring First Choice to respond to the DSAR or face further regulatory action
- Other than asking the ICO for advice on how to respond to the DSAR, First Choice took no further action in relation to the DSAR
- The ICO were subsequently sent a copy of an email from the Employment Tribunal confirming that the Tribunal had no jurisdiction to deal with data protection requests
As well as concluding that First Choice had breached data protection law, the ICO also found that First Choice had “wilfully sought to mislead” the ICO in relation to what had been said by the Employment Tribunal. The ICO issued an Enforcement Notice under the Data Protection Act 2918 requiring First Choice to respond to the DSAR and look at its internal processes and systems for dealing with future DSARs.
What should we do if we receive a DSAR?
If you receive a DSAR, then even if it appears to be related to an employment dispute, you should ensure that you:
- respond to the DSAR without undue delay and in any event within one month of receiving the request, unless there is a lawful reason for not dealing with the request or you can extend the time limit for responding to the DSAR, in which case you will need to let the individual know; and
- deal promptly with any correspondence from the ICO relating to the DSAR (or if there is a time limit given by the ICO to respond, within that time limit).
The potential consequence of failing to comply with an Enforcement Notice issued by the ICO is a financial penalty of up to £17.5million or 4% of an organisation’s total annual worldwide turnover, whichever is the greater.
If you would like assistance with responding to a DSAR or any other data protection matter, then please get in touch.